Merge pull request #189093 from barclayn/mi-clarity-03

clarity 03

Author: PRMerger17

articles/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: msi
 ms.topic: how-to
 ms.workload: identity
-ms.date: 01/20/2022
+ms.date: 02/18/2022
 ms.author: barclayn 
 ms.custom: devx-track-azurecli
 zone_pivot_groups: identity-mi-methods
@@ -19,11 +19,12 @@ zone_pivot_groups: identity-mi-methods
 
 
 
-Managed identities for Azure resources eliminate the need to manage credentials in code. You can use them to get an Azure Active Directory (Azure AD) token your applications can use when you access resources that support Azure AD authentication. Azure manages the identity so you don't have to.
+Managed identities for Azure resources eliminate the need to manage credentials in code. You can use them to get an Azure Active Directory (Azure AD) token for your applications. The applications can use the token when accessing resources that support Azure AD authentication. Azure manages the identity so you don't have to.
 
-There are two types of managed identities: system-assigned and user-assigned. The main difference between them is that system-assigned managed identities have their lifecycle linked to the resource where they're used. User-assigned managed identities can be used on multiple resources. To learn more about managed identities, see [What are managed identities for Azure resources?](overview.md).
+There are two types of managed identities: system-assigned and user-assigned. System-assigned managed identities have their lifecycle tied to the resource that created them. User-assigned managed identities can be used on multiple resources. To learn more about managed identities, see [What are managed identities for Azure resources?](overview.md).
 
 ::: zone pivot="identity-mi-methods-azp"
+
 In this article, you learn how to create, list, delete, or assign a role to a user-assigned managed identity by using the Azure portal.
 
 ## Prerequisites
@@ -36,7 +37,7 @@ In this article, you learn how to create, list, delete, or assign a role to a us
 
 To create a user-assigned managed identity, your account needs the [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.
 
-1. Sign in to the [Azure portal](https://portal.azure.com) by using an account associated with the Azure subscription to create the user-assigned managed identity.
+1. Sign in to the [Azure portal](https://portal.azure.com).
 1. In the search box, enter **Managed Identities**. Under **Services**, select **Managed Identities**.
 1. Select **Add**, and enter values in the following boxes in the **Create User Assigned Managed Identity** pane:
     - **Subscription**: Choose the subscription to create the user-assigned managed identity under.
@@ -53,9 +54,9 @@ To create a user-assigned managed identity, your account needs the [Managed Iden
 
 ## List user-assigned managed identities
 
-To list or read a user-assigned managed identity, your account needs the [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) or [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.
+To list or read a user-assigned managed identity, your account needs to have either [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) or [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignments.
 
-1. Sign in to the [Azure portal](https://portal.azure.com) by using an account associated with the Azure subscription to list the user-assigned managed identities.
+1. Sign in to the [Azure portal](https://portal.azure.com).
 1. In the search box, enter **Managed Identities**. Under **Services**, select **Managed Identities**.
 1. A list of the user-assigned managed identities for your subscription is returned. To see the details of a user-assigned managed identity, select its name.
 1. You can now view the details about the managed identity as shown in the image below.
@@ -68,7 +69,7 @@ To delete a user-assigned managed identity, your account needs the [Managed Iden
 
 Deleting a user-assigned identity doesn't remove it from the VM or resource it was assigned to. To remove the user-assigned identity from a VM, see [Remove a user-assigned managed identity from a VM](qs-configure-portal-windows-vm.md#remove-a-user-assigned-managed-identity-from-a-vm).
 
-1. Sign in to the [Azure portal](https://portal.azure.com) by using an account associated with the Azure subscription to delete a user-assigned managed identity.
+1. Sign in to the [Azure portal](https://portal.azure.com).
 1. Select the user-assigned managed identity, and select **Delete**.
 1. Under the confirmation box, select **Yes**.
 
@@ -79,7 +80,7 @@ Deleting a user-assigned identity doesn't remove it from the VM or resource it w
 
 To assign a role to a user-assigned managed identity, your account needs the [User Access Administrator](../../role-based-access-control/built-in-roles.md#user-access-administrator) role assignment.
 
-1. Sign in to the [Azure portal](https://portal.azure.com) by using an account associated with the Azure subscription to list the user-assigned managed identities.
+1. Sign in to the [Azure portal](https://portal.azure.com).
 1. In the search box, enter **Managed Identities**. Under **Services**, select **Managed Identities**.
 1. A list of the user-assigned managed identities for your subscription is returned. Select the user-assigned managed identity that you want to assign a role.
 1. Select **Access control (IAM)**, and then select **Add role assignment**.
@@ -261,10 +262,10 @@ You can't list and delete a user-assigned managed identity by using a Resource M
 
 ## Template creation and editing
 
-As with the Azure portal and scripting, Resource Manager templates provide the ability to deploy new or modified resources defined by an Azure resource group. Several options are available for template editing and deployment, both local and portal-based. You can:
+Resource Manager templates help you deploy new or modified resources defined by an Azure resource group. Several options are available for template editing and deployment, both local and portal-based. You can:
 
 - Use a [custom template from Azure Marketplace](../../azure-resource-manager/templates/deploy-portal.md#deploy-resources-from-custom-template) to create a template from scratch or base it on an existing common or [quickstart template](https://azure.microsoft.com/resources/templates/).
-- Derive from an existing resource group by exporting a template from either [the original deployment](../../azure-resource-manager/management/manage-resource-groups-portal.md#export-resource-groups-to-templates) or from the [current state of the deployment](../../azure-resource-manager/management/manage-resource-groups-portal.md#export-resource-groups-to-templates).
+- Derive from an existing resource group by exporting a template. You can export them from either [the original deployment](../../azure-resource-manager/management/manage-resource-groups-portal.md#export-resource-groups-to-templates) or from the [current state of the deployment](../../azure-resource-manager/management/manage-resource-groups-portal.md#export-resource-groups-to-templates).
 - Use a local [JSON editor (such as VS Code)](../../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md), and then upload and deploy by using PowerShell or the Azure CLI.
 - Use the Visual Studio [Azure Resource Group project](../../azure-resource-manager/templates/create-visual-studio-deployment-project.md) to create and deploy a template. 
 
@@ -306,9 +307,7 @@ To create a user-assigned managed identity, use the following template. Replace
 ```
 ## Next steps
 
-For information on how to assign a user-assigned managed identity to an Azure VM by using a Resource Manager template, see [Configure managed identities for Azure resources on an Azure VM using a template](qs-configure-template-windows-vm.md).
-
-
+To assign a user-assigned managed identity to an Azure VM using a Resource Manager template, see [Configure managed identities for Azure resources on an Azure VM using a template](qs-configure-template-windows-vm.md).
 
 
 ::: zone-end

articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad.md

@@ -12,7 +12,7 @@ ms.subservice: msi
 ms.topic: tutorial
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 01/11/2022
+ms.date: 02/18/2022
 ms.author: barclayn
 ms.collection: M365-identity-device-management
 #Customer intent: As a developer or administrator I want to configure a Windows virtual machine to retrieve a secret from key vault using a managed identity and have a simple way to validate my configuration before using it for development
@@ -22,7 +22,7 @@ ms.collection: M365-identity-device-management
 
 [!INCLUDE [preview-notice](../../../includes/active-directory-msi-preview-notice.md)]
 
-This tutorial shows you how a Windows virtual machine (VM) can use a system-assigned managed identity to access [Azure Key Vault](../../key-vault/general/overview.md). Serving as a bootstrap, Key Vault makes it possible for your client application to then use a secret to access resources not secured by Azure Active Directory (AD). Managed Service Identities are automatically managed by Azure and enable you to authenticate to services that support Azure AD authentication, without including authentication information in your code.
+This tutorial shows you how a Windows virtual machine (VM) can use a system-assigned managed identity to access [Azure Key Vault](../../key-vault/general/overview.md). Key Vault makes it possible for your client application to use a secret to access resources not secured by Azure Active Directory (Azure AD). Managed identities are automatically managed by Azure. They enable you to authenticate to services that support Azure AD authentication, without including authentication information in your code.
 
 You learn how to:
 
@@ -40,7 +40,7 @@ You learn how to:
 
 ## Create a Key Vault  
 
-This section shows how to grant your VM access to a secret stored in a Key Vault. Using managed identities for Azure resources, your code can get access tokens to authenticate to resources that support Azure AD authentication.  However, not all Azure services support Azure AD authentication. To use managed identities for Azure resources with those services, store the service credentials in Azure Key Vault, and use the VM's managed identity to access Key Vault to retrieve the credentials.
+This section shows how to grant your VM access to a secret stored in a Key Vault. When you use managed identities for Azure resources, your code can get access tokens to authenticate to resources that support Azure AD authentication.  However, not all Azure services support Azure AD authentication. To use managed identities for Azure resources with those services, store the service credentials in Azure Key Vault, and use the VM's managed identity to access Key Vault to retrieve the credentials.
 
 First, we need to create a Key Vault and grant our VM’s system-assigned managed identity access to the Key Vault.
 
@@ -53,35 +53,35 @@ First, we need to create a Key Vault and grant our VM’s system-assigned manage
 
     ![Create a Key vault screen](./media/msi-tutorial-windows-vm-access-nonaad/create-key-vault.png)
 
-1. Fill out all required information making sure that you choose the subscription and resource group where you created the virtual machine that you are using for this tutorial.
+1. Fill out all required information. Make sure that you choose the subscription and resource group that you're using for this tutorial.
 1. Select **Review+ create**
 1. Select **Create**
 
 ### Create a secret
 
-Next, add a secret to the Key Vault, so you can retrieve it later using code running in your VM. In this tutorial, we are using PowerShell but the same concepts apply to any code executing in this virtual machine.
+Next, add a secret to the Key Vault, so you can retrieve it later using code running in your VM. In this tutorial, we're using PowerShell but the same concepts apply to any code executing in this virtual machine.
 
 1. Navigate to your newly created Key Vault.
-1. Select **Secrets**, and click **Add**.
+1. Select **Secrets**, and select **Add**.
 1. Select **Generate/Import**
-1. In the **Create a secret** screen from **Upload options** leave **Manual** selected.
+1. In the **Create a secret** screen, from **Upload options** leave **Manual** selected.
 1. Enter a name and value for the secret.  The value can be anything you want. 
 1. Leave the activation date and expiration date clear, and leave **Enabled** as **Yes**. 
-1. Click **Create** to create the secret.
+1. Select **Create** to create the secret.
 
    ![Create a secret](./media/msi-tutorial-windows-vm-access-nonaad/create-secret.png)
 
 ## Grant access
 
-The managed identity used by the virtual machine needs to be granted access to read the secret that we will store in the Key Vault.
+The managed identity used by the virtual machine needs to be granted access to read the secret that we'll store in the Key Vault.
 
 1. Navigate to your newly created Key Vault
 1. Select **Access Policy** from the menu on the left side.
 1. Select **Add Access Policy**
 
    ![key vault create access policy screen](./media/msi-tutorial-windows-vm-access-nonaad/key-vault-access-policy.png)
 
-1. In the **Add access policy** section under **Configure from template (optional)** choose **Secret Management** from the pull-down menu.
+1. In the **Add access policy** section, under **Configure from template (optional)**, choose **Secret Management** from the pull-down menu.
 1. Choose **Select Principal**, and in the search field enter the name of the VM you created earlier.  Select the VM in the result list and choose **Select**.
 1. Select **Add**
 1. Select **Save**.
@@ -93,9 +93,9 @@ This section shows how to get an access token using the VM identity and use it t
 
 First, we use the VM’s system-assigned managed identity to get an access token to authenticate to Key Vault:
 
-1. In the portal, navigate to **Virtual Machines** and go to your Windows virtual machine and in the **Overview**, click **Connect**.
+1. In the portal, navigate to **Virtual Machines** and go to your Windows virtual machine and in the **Overview**, select **Connect**.
 2. Enter in your **Username** and **Password** for which you added when you created the **Windows VM**.  
-3. Now that you have created a **Remote Desktop Connection** with the virtual machine, open PowerShell in the remote session.  
+3. Now that you've created a **Remote Desktop Connection** with the virtual machine, open PowerShell in the remote session.  
 4. In PowerShell, invoke the web request on the tenant to get the token for the local host in the specific port for the VM.  
 
 The PowerShell request:
@@ -134,11 +134,11 @@ Once you’ve retrieved the secret from the Key Vault, you can use it to authent
 
 When you want to clean up the resources, visit the [Azure portal](https://portal.azure.com), select **Resource groups**, locate, and select the resource group that was created in the process of this tutorial (such as `mi-test`), and then use the **Delete resource group** command.
 
-Alternatively you may also do this via [PowerShell or the CLI](../../azure-resource-manager/management/delete-resource-group.md)
+Alternatively you may also clean up resources via [PowerShell or the CLI](../../azure-resource-manager/management/delete-resource-group.md)
 
 ## Next steps
 
-In this tutorial, you learned how to use a Windows VM system-assigned managed identity to access Azure Key Vault.  To learn more about Azure Key Vault see:
+In this tutorial, you learned how to use a Windows VM system-assigned managed identity to access Azure Key Vault.  To learn more about Azure Key Vault, see:
 
 > [!div class="nextstepaction"]
 >[Azure Key Vault](../../key-vault/general/overview.md)